Author: dj Date: Thu Sep 29 09:34:17 2016 New Revision: 1762751 URL: http://svn.apache.org/viewvc?rev=1762751&view=rev Log: OAK-4845 : Regression: DefaultSyncContext does not sync membership to a local group
Modified: jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java Modified: jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java?rev=1762751&r1=1762750&r2=1762751&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java (original) +++ jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java Thu Sep 29 09:34:17 2016 @@ -533,7 +533,8 @@ public class DefaultSyncContext implemen if (a == null) { grp = createGroup(extGroup); log.debug("- created new group"); - } else if (a.isGroup() && isSameIDP(a)) { + } else if (a.isGroup() && (getIdentityRef(a) == null || isSameIDP(a))) { + // limit to same IDP or local (no IDP ref) groups, see OAK-4845 grp = (Group) a; } else { log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName()); Modified: jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java?rev=1762751&r1=1762750&r2=1762751&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java (original) +++ jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/package-info.java Thu Sep 29 09:34:17 2016 @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -@Version("1.2.0") +@Version("1.2.1") @Export package org.apache.jackrabbit.oak.spi.security.authentication.external.basic; Modified: jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java?rev=1762751&r1=1762750&r2=1762751&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java (original) +++ jackrabbit/oak/trunk/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java Thu Sep 29 09:34:17 2016 @@ -64,6 +64,7 @@ import static org.junit.Assert.assertNot import static org.junit.Assert.assertNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; public class DefaultSyncContextTest extends AbstractExternalAuthTest { @@ -539,11 +540,13 @@ public class DefaultSyncContextTest exte // 1. membership nesting is < 0 => membership not synchronized syncConfig.user().setMembershipNestingDepth(-1); syncCtx.sync(user.getID()).getStatus(); + root.commit(); assertTrue(gr.isDeclaredMember(user)); // 2. membership nesting is > 0 => membership gets synchronized syncConfig.user().setMembershipNestingDepth(1); assertEquals(SyncResult.Status.UPDATE, syncCtx.sync(user.getID()).getStatus()); + root.commit(); assertFalse(gr.isDeclaredMember(user)); } @@ -568,6 +571,7 @@ public class DefaultSyncContextTest exte syncConfig.user().setMembershipNestingDepth(1); assertEquals(SyncResult.Status.UPDATE, syncCtx.sync(user.getID()).getStatus()); + root.commit(); // since the group is not associated with the test-IDP the group-membership // must NOT be modified during the sync. @@ -614,8 +618,7 @@ public class DefaultSyncContextTest exte setExternalID(gr, "foreignIDP"); // but don't set rep:lastSynced :-) root.commit(); - SyncResult result = syncCtx.sync(externalUser); - assertSame(SyncResult.Status.ADD, result.getStatus()); + sync(externalUser); User user = userManager.getAuthorizable(externalUser.getId(), User.class); assertNotNull(user); @@ -636,6 +639,37 @@ public class DefaultSyncContextTest exte } } + /** + * @see <a href="https://issues.apache.org/jira/browse/OAK-4845">OAK-4845</a> + */ + @Test + public void testMembershipForExistingLocalGroup() throws Exception { + syncConfig.user().setMembershipNestingDepth(1).setMembershipExpirationTime(-1).setExpirationTime(-1); + syncConfig.group().setExpirationTime(-1); + + ExternalUser externalUser = idp.getUser(USER_ID); + ExternalIdentityRef groupRef = externalUser.getDeclaredGroups().iterator().next(); + + // create the group locally (has no rep:externalId) + Group gr = userManager.createGroup(groupRef.getId()); + root.commit(); + + sync(externalUser); + + User user = userManager.getAuthorizable(externalUser.getId(), User.class); + assertNotNull(user); + + // verify membership gets added + assertTrue(gr.isDeclaredMember(user)); + Iterator<Group> declared = user.declaredMemberOf(); + while (declared.hasNext()) { + if (gr.getID().equals(declared.next().getID())) { + return; + } + } + fail(); + } + @Test public void testGetAuthorizableUser() throws Exception { ExternalIdentity extUser = idp.listUsers().next();